Unix & Linux
sudo users group
Updated Fri, 20 May 2022 00:11:55 GMT

Can deleted groups still function through primary groups in Linux?


With an analyzing program I built, I ran into a bug where a user had a primary group set to a since then deleted group (no longer in the /etc/group file). To scope the impact I ran some tests and run into what appears to be some strange behaviors:

  • Even if a group is deleted, if it is the primary group of a user and there are rights associated to its ID in the sudoers file, the user will still get those rights.
  • If a group is created afterwards, it may get the same group ID as the previously deleted group and the user's primary ID then becomes that group.

It appears that for the rights check in sudoers, both the /etc/group file and the primary group of the user are searched separately and the primary group therefore doesn't have to be an actual group?

Question: Is this correct? What am I missing? I'm not sure why the client had a primary group deleted, but this doesn't seem right.

Device specs:

Linux Ubuntu 20.04.1

5.13.0-1017-azure x86_64

Steps to reproduce:

  1. Create new user: sudo useradd testuser This created both the user and a separate new group with the same name, which became its primary group.

  2. Check groups of new user: groups testuser Result: 'testuser : testuser'

  3. Delete the new group via command: sudo groupdel testuser Got the following error message: groupdel: cannot remove the primary group of user 'testuser'

  4. Delete the new group via manual file adjustment: sudo nano /etc/group This did work as I could simply delete the last line with the relevant group and save the file

  5. Check groups of new user again: groups testuser Result: 'testuser : groups: cannot find name for group ID 1003 1003'

  6. Try to login as the new user, after removing the group Success, could still login

  7. Try to execute sudo command with the new user Failed as expected: 'testuser is not in the sudoers file. This incident will be reported'

  8. Log back in as privileged account (which does have sudo rights)

  9. Give the group name removed in step 4 sudoer rights in the sudoers file: sudo nano /etc/sudoers Then add this to the file: %testuser ALL=(ALL:ALL) ALL

  10. Login as new user and execute sudo command again Still failed: 'testuser is not in the sudoers file. This incident will be reported'

  11. Give the group id removed in step 4 sudoer rights in the sudoers file: sudo nano /etc/sudoers Then add this to the file: %#1003 ALL=(ALL:ALL) ALL

  12. Login as new user and execute sudo command again Success, user now has SUDO rights (I had really hoped this not to be the case)

  13. Create a new group: sudo groupadd testforid New group created with ID 1003

  14. Check groups of new user again: groups testuser Result: 'testuser : testforid'

Solution

Yes, deleted groups still work as primary groups; in fact, groups which have never created work as primary groups.

This is because all that matters ultimately for users and groups is their identifiers. The mapping between a user and its primary group, e.g. in /etc/passwd, associates identifiers. In your example, testuser was assigned primary group 1003; whether that group was given a name (in /etc/group in your case) was irrelevant. When you granted group 1003 sudo privileges, testuser was granted those privileges through that group.

User names and identifiers follow the same rule: all that matters ultimately is the user identifier. Files owned by a given user are tied to that user through the identifier, not the name, and that association persists when the user is removed. Files can also be created with a user identifier which has no matching user on the system.

Multiple user names and group names can also be associated with the same user and group id respectively; theres no requirement for the mappings to be bijective. Thus permissions etc. can be defined in terms of user/group identifiers, and those identifiers can have 0 or more names associated with them.

Comments (2)

  • +0 – Thanks for the answer! Unfortunately I don't have enough reputation on this site to give you an upvote, but I did accept the answer (seems stackoverflow reputation isn't shared). — Mar 22, 2022 at 07:07  
  • +0 – Youre welcome! Once you get to 200 rep anywhere on SE, youll get a 100-point bonus on your other SE accounts; but apart from that reputation isnt shared, no. — Mar 22, 2022 at 07:11  

References